Security Flaws Under the Microscope

A study unveiled at the Black Hat Briefings conference in Las Vegas last week paints a grim picture of network security problems.

Among the study's surprising results: Some kinds of computer security vulnerabilities--especially ones with an aggressive "exploit" (something that takes advantage of the vulnerability, such as a worm or virus)--may plague computer networks indefinitely.

"I wanted to understand how prevalent critical vulnerabilities are," said Gerhard Eschelbeck, chief technology officer of security software provider Qualys and author of the study. His first-of-its-kind research is the result of 18 months of constantly probing his customers' networks for common security problems.

The study, along with guidelines proposed by the Organization for Internet Safety (OIS) on how to report buggy and insecure software dominated the first day of the conference.

Perpetual Vulnerabilities

Thought Slammer was over? Not according to Eschelbeck's study.

In his research, the security hole that allows entry to the Microsoft SQL Slammer worm, which first appeared in January of this year (and for which a patch was available as of July 2002), was detected more than 30 times in the first week of February, then sharply declined over the following six weeks to just five detections the week of March 22nd. That sounds like good news, but since attention to the worm waned, Slammer's hole has made a comeback, with 22 vulnerable PCs detected the week of June 28. (The research did not indicate whether the scanned computers had become infected or otherwise fell victim to the security problems, only that they were in peril.)

For the Code Red worm, the rise is less dramatic, but detectable. From the end of April through the end of June, Eschelbeck's research detected a slight rise in the average number of Code Red-vulnerable computers among the networks he scanned. Code Red first made an appearance in June 2001.

Eschelbeck theorized that IT departments are partly to blame for the resurgence of some old security problems. Computer support staff store "images" of hard drives with pertinent data, drivers, and software configurations, so they can quickly restore a laptop or desktop to the company's defaults. But often, the IT department doesn't update those images to include the latest patches to the operating system or the applications. When a computer hard drive has the old image reinstalled, all the old problems come with it.

In addition, a number of home computer users didn't apply recommended security patches to their systems, so their vulnerabilities--detectable by Eschelbeck's software--remain a threat to the rest of the networked world.

After he built his scanning tool, Eschelbeck got results by keeping track of the number and type of known security problems as he scanned more than 1.5 million IP addresses. Armed with a database of 2041 different security vulnerabilities, he also created the first Top 10 Vulnerabilities List (available at:, which updates in real time as new scan results come in. This is an ongoing project for Eschelbeck.

Computer users may test their own systems, anonymously and at no charge, using Eschelbeck's RV10 tool.

Eschelbeck's Laws of Vulnerabilities

In analyzing his research, Eschelbeck spotted patterns which helped him develop what he called his four Laws of Vulnerabilities.

Law 1: The half-life of vulnerabilities (meaning the amount of time that passes from the point a vulnerability is discovered until the number of affected computers is halved) is 30 days.

Law 2: About half of the most prevalent serious vulnerabilities change over the course of a year, but others persist. And the associated Law 3: Some security problems will remain indefinitely.

Law 4: Eighty percent of vulnerabilities have an exploit within 60 days, on average.

Don't let that 60-day figure make you complacent, though. "The underground is ramping up their efforts to build exploits because they know they have a very short window before a fix gets released," said analyst Simple Nomad of Bindview, a company that helps businesses secure their computer networks.

Bug Report Procedures Proposed, Criticized

As a result of the speed with which some hackers build exploit tools, software companies are scrambling to develop procedures to respond to people who discover and report security vulnerabilities.

One set of such procedures has just been released by OIS, a group of security companies and software makers that includes Oracle and Microsoft. The OIS Vulnerability Handling Guidelines describe a comprehensive set of "best practices" software makers should use to handle security bug reports.

The guidelines call for the maker of the software for which a security vulnerability has been detected to restrict release of full technical details of a bug to a short list of businesses, such as antivirus vendors, while a patch is being developed for the vulnerable software. Only after a period of no less than 30 days would technical details become widely available.

"We saw that releasing [full technical details of] exploits at the same time as the patch was doing more harm than good," said Chris Wysopal, director of research and development for security consulting firm @stake. The company's clients, including major corporations, "were getting owned on the first day the [security bug] exploit was getting released," he explained. Wysopal helped develop the guidelines.

Some attendees suggested that this delay in sharing information benefits some companies by increasing the value of paid security mailing lists, while harming academic research into security problems. Several others also derided the guidelines for being too optimistic, making assumptions about the motivation of people who find and report vulnerabilities, as well as their willingness to cooperate.

The guidelines remain controversial. However, the companies that participate in the OIS are not bound by them--they are merely recommendations.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Andrew Brandt

PC World
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?